def create_service_account(session, actor, name, description, machine_set, owner): # type: (Session, User, str, str, str, Group) -> ServiceAccount """Creates a service account and its underlying user. Also adds the service account to the list of accounts managed by the owning group. Throws: BadMachineSet: if some plugin rejected the machine set DuplicateServiceAccount: if a user with the given name already exists """ user = User(username=name, is_service_account=True) service_account = ServiceAccount(user=user, description=description, machine_set=machine_set) if machine_set is not None: _check_machine_set(service_account, machine_set) try: user.add(session) service_account.add(session) session.flush() except IntegrityError: session.rollback() raise DuplicateServiceAccount("User {} already exists".format(name)) # Counter is updated here and the session is committed, so we don't need an additional update # or commit for the account creation. add_service_account(session, owner, service_account) AuditLog.log(session, actor.id, "create_service_account", "Created new service account.", on_group_id=owner.id, on_user_id=service_account.user_id) return service_account
def create_service_account(self, name, owner, machine_set, description, initial_metadata=None): # type: (str, str, str, str, Optional[Dict[str,str]]) -> None group = Group.get(self.session, name=owner) if not group: raise GroupNotFoundException(owner) # Create the service account in the database. user = SQLUser(username=name, is_service_account=True) service = SQLServiceAccount(user=user, machine_set=machine_set, description=description) user.add(self.session) service.add(self.session) # Flush the account to allocate an ID. self.session.flush() # Set initial user metadata fields if present. if initial_metadata is not None: for key, value in initial_metadata.items(): # TODO: move this to use the hexagonal architecture model. set_user_metadata(self.session, user.id, key, value) # Create the linkage to the owner. GroupServiceAccount(group_id=group.id, service_account=service).add(self.session)
def service_accounts(session, users, groups): user = User(username="******", is_service_account=True) service_account = ServiceAccount(user=user, description="some service account", machine_set="some machines") user.add(session) service_account.add(session) session.flush() add_service_account(session, groups["team-sre"], service_account) return {"*****@*****.**": service_account}
def create_service_account(self, name, owner, machine_set, description): # type: (str, str, str, str) -> None group = Group.get(self.session, name=owner) if not group: raise GroupNotFoundException(group) # Create the service account in the database. user = SQLUser(username=name, is_service_account=True) service = SQLServiceAccount(user=user, machine_set=machine_set, description=description) user.add(self.session) service.add(self.session) # Flush the account to allocate an ID, and then create the linkage to the owner. self.session.flush() GroupServiceAccount(group_id=group.id, service_account=service).add(self.session)
def mark_disabled_user_as_service_account(self, name, description="", mdbset=""): # type: (str, str, str) -> None """Transform a disabled user into a disabled, ownerless service account. WARNING: This function encodes the fact that the user and service account repos are in fact the same thing, as it assumes that a service account is just a user that is marked in a special way. This is a temporary breaking of the abstractions and will have to be cleaned up once the repositories are properly separate. """ user = SQLUser.get(self.session, name=name) if not user: raise UserNotFoundException(name) service_account = SQLServiceAccount( user_id=user.id, description=description, machine_set=mdbset ) service_account.add(self.session) user.is_service_account = True
def create_service_account(self, service_account, owner, description="", machine_set=""): # type: (str, str, str, str) -> None self.create_group(owner) group_obj = Group.get(self.session, name=owner) assert group_obj if User.get(self.session, name=service_account): return user = User(username=service_account) user.add(self.session) service_account_obj = ServiceAccount( user_id=user.id, description=description, machine_set=machine_set ) service_account_obj.add(self.session) user.is_service_account = True self.session.flush() owner_map = GroupServiceAccount( group_id=group_obj.id, service_account_id=service_account_obj.id ) owner_map.add(self.session)
def mark_disabled_user_as_service_account(self, name, description="", mdbset=""): # type: (str, str, str) -> None """Transform a disabled user into a disabled, ownerless service account. WARNING: This function encodes the fact that the user and service account repos are in fact the same thing, as it assumes that a service account is just a user that is marked in a special way. This is a temporary breaking of the abstractions and will have to be cleaned up once the repositories are properly separate. """ user = SQLUser.get(self.session, name=name) if not user: raise UserNotFoundException(name) service_account = SQLServiceAccount(user_id=user.id, description=description, machine_set=mdbset) service_account.add(self.session) user.is_service_account = True
def create_service_account(self, service_account, owner, description="", machine_set=""): # type: (str, str, str, str) -> None self.create_group(owner) group_obj = Group.get(self.session, name=owner) assert group_obj if User.get(self.session, name=service_account): return user = User(username=service_account) user.add(self.session) service_account_obj = ServiceAccount(user_id=user.id, description=description, machine_set=machine_set) service_account_obj.add(self.session) user.is_service_account = True self.session.flush() owner_map = GroupServiceAccount( group_id=group_obj.id, service_account_id=service_account_obj.id) owner_map.add(self.session)